In this short article, I will go over how to generate an SSL/TLS certificate via and store it in Azure Key Vault for usage in different products in Azure such as Front Door.

Generating SSL/TLS

The certificate is generated by the certbot on Mac with DNS challenge, to being with install certbox via brew or your choice of a package manager. If you are using any other OS, you can check out the for installing the corresponding OS distribution.

brew install certbot

Once installed start the process by the command below, certbot will provide you instructions to manually update a TXT record for the domain that you are trying to generate SSL/TLS certificate

certbot certonly --manual --preferred-challenges dns

Once it is completed, it will generate several files called fullchain.pem, privkey.pem, etc. To make it easier operation, I will convert it into a pfx file via openssl, so will use the domain.pfx in the next step.

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out domain.pfx

Adding to the Azure Key Vault

Azure Key Vault lets you easily provision, manage, and deploy public and private TLS/SSL certificates for use with Azure and your internal connected resources.

In case you do not have a Resource Group you can create it via the following command, if you have an existing Resource Group that you want to add to your Key Vault, you can skip this step.

az group create --name kvResourceGroup --location northeurope

If you have a Key Vault provisioned, you can skip this step, if not, create a new Key Vault with:

az keyvault create --name myKeyVaultXn4 --resource-group kvResourceGroup --location northeurope

Next, simply import the certificate by using domain.pfx file:

az keyvault certificate import --vault-name myKeyVaultXn4 --name my-tls-cert --file domain.pfx

Finally, verify again that the certificate added:

az keyvault certificate show --name my-tls-cert  --vault-name myKeyVaultXn4

With that, you should be able to use the certificate in different Azure technologies. The process described above is manual, the preferred way is to extend the certificate automatically before the certificate expires.

Blog Logo

Engin Yöyen



Engin Yöyen

Software Engineer

Back to Overview